mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-03 07:38:10 +00:00
Code Issues Releases Wiki Activity
linux-stable/net/tls
History
Daniel Jordan f3dec7e7ac net/tls: Fix flipped sign in tls_err_abort() calls 
commit da353fac65 upstream.

sk->sk_err appears to expect a positive value, a convention that ktls
doesn't always follow and that leads to memory corruption in other code.
For instance,

    [kworker]
    tls_encrypt_done(..., err=<negative error from crypto request>)
      tls_err_abort(.., err)
        sk->sk_err = err;

    [task]
    splice_from_pipe_feed
      ...
        tls_sw_do_sendpage
          if (sk->sk_err) {
            ret = -sk->sk_err;  // ret is positive

    splice_from_pipe_feed (continued)
      ret = actor(...)  // ret is still positive and interpreted as bytes
                        // written, resulting in underflow of buf->len and
                        // sd->len, leading to huge buf->offset and bogus
                        // addresses computed in later calls to actor()

Fix all tls_err_abort() callers to pass a negative error code
consistently and centralize the error-prone sign flip there, throwing in
a warning to catch future misuse and uninlining the function so it
really does only warn once.

Cc: stable@vger.kernel.org
Fixes: c46234ebb4 ("tls: RX path for ktls")
Reported-by: syzbot+b187b77c8474f9648fae@syzkaller.appspotmail.com
Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-11-02 19:48:19 +01:00
..
Kconfig treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
Makefile net/tls: add skeleton of MIB statistics 2019-10-05 16:29:00 -07:00
tls_device.c net/tls: Fix use-after-free after the TLS device goes down and up 2021-06-10 13:39:18 +02:00
tls_device_fallback.c net/tls: Fix use-after-free after the TLS device goes down and up 2021-06-10 13:39:18 +02:00
tls_main.c net/tls: Fix use-after-free after the TLS device goes down and up 2021-06-10 13:39:18 +02:00
tls_proc.c net: fix proc_fs init handling in af_packet and tls 2021-02-23 15:53:23 +01:00
tls_sw.c net/tls: Fix flipped sign in tls_err_abort() calls 2021-11-02 19:48:19 +01:00
tls_toe.c net/tls: rename tls_hw_* functions tls_toe_* 2019-10-04 14:07:07 -07:00
trace.c net/tls: add tracing for device/offload events 2019-10-05 16:29:00 -07:00
trace.h net/tls: add device decrypted trace point 2019-10-05 16:29:00 -07:00